../_images/icon-firewall.png

Firewall

The company that I’ve decided not use any products for personal use any more, astonished me with an inside-view on how they see security. But I should tell the story step-by-step. When you’ve configured an MS WSUS-Server you need somehow to get your local repository synchronised with the one from MS. With that high frequency of publishing new patches and fixed (which they call “updates”, as if that wouldn’t suggest that something buggy will be fixed. The could say “patch”, that would make it clearer), I synchronize basically once a day.

And with a regularity of a pulsing neutron-star these synchronisations fail, because the DNS name for using to connect to the updates resolves to new Servers on MS site. In order to fix this once and for all a list of the servers used for updates would be nice. Where can you get such a list, if not from the vendor itself. It’s surprisingly easy to find in the MS TechNet. Here’s the quote:

If there is a corporate firewall between WSUS and the Internet, you might need to configure that firewall to ensure that WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol. This is not configurable.If your organization does not allow those ports and protocols open to all addresses, you can restrict access to only the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com

http://technet.microsoft.com/en-us/library/cc708605(WS.10).aspx

Well. Though it seems to be helpful, it really isn’t. If you use just half of a decent firewall, you know that you can’t configure DNS names within it. And that has a good reason.

If you could configure the DNS names instead of IP-Addresses/-Ranges, you basically could bypass the firewall by simply changing the DNS resolving. Since DNS is always based on more or less trusting other systems to give you the right IP for a DNS name you basically give that part out of your hand into someone others. As a golden rule: You simply don’t configure DNS names in a firewall (especially not with asterisks), when you want it secure.

So I’ll continue checking the synchronisation manually every now and than and adding the new IP addresses to the firewall sigh